The long awaited Scam Prevention Framework is here!
02 October 2024
On 13 September 2024, an exposure draft of the Bill, along with draft explanatory materials and a "summary of reforms" was released for consultation by Treasury. It is proposed that the scams prevention framework reforms will be inserted as Part IVF of the of the Competition and Consumer Act 2010 (Cth) (CCA) (along with various other consequential amendments).
The proposed amendment to the CCA reflects the fact that scam prevention is a matter to which the entire economy should turn its mind in order to protect the Australian community – that is, it is a matter for many providers of goods and services (and not only for the banks or payments companies). The Bill is part of a broader effort by the Australian government to "modernise Australia's laws for the digital age, including reforms to Australia’s privacy, money laundering and cyber settings, modernisation of the payment systems, introduction of online safety measures, as well as the rollout of Digital ID and eInvoicing infrastructure for businesses". Notably, many of the obligations arising under those regimes are linked – for example, a failure to comply with privacy protections heightens cyber attack risks, which in turn heightens the risks of fraud and other serious financial crimes (such as money laundering).
The Bill is split into various obligations for businesses in designated sectors to "Prevent; Detect; Report; Disrupt; and Respond to" scams, and to implement associated policies and procedures.
The jurisdictional reach of the scams prevention framework is broad - relevant obligations are intended to apply to Australian residents (even where they are aboard) and visitors to Australia, and (in line with the unfair contract terms regime) will also extend to "small businesses" (i.e. a business with less than 100 employees and a principal place of business in Australia).
The Bill introduces the first proposed legislative definition of a "scam" in Australian law:
A scam is a direct or indirect attempt to engage a consumer of a regulated service that: (a) involves deception; and (b) would, if successful, cause loss or harm including obtaining personal information of, or a benefit (such as a financial benefit) from, the consumer or the consumer’s associates.
This is a broad definition that will capture a wide variety of actions (and omissions), and the explanatory materials only provide 3 general examples of what is and isn't a scam for the purposes of the Bill.
We expect that determining whether certain conduct falls within this definition is likely to be a key aspect of consideration by AFCA and/or the courts. Striking a balance between protecting consumers legitimately impacted by scams against subsidising reckless or otherwise importer behaviour is likely to cause teething issues in the initial stages of implementation.
The proposed definition does not capture unauthorised fraud that does not involve the deception of a consumer into performing an action that results in loss or harm, including unauthorised payments, which is not unexpected.
The question that arises is why there is a need to implement a scams prevention framework, particularly where "unauthorised payments" are already captured under the ePayments Code. Well, that code is relatively limited in scope (it is directed at payments providers and does not extend to others) and is a voluntary code.
Broadly speaking, entities designated under the Bill will be required to comply with 6 core principles:
In addition, the Minister will also make sector-specific codes (such as a code in relation to banks) which imposes additional requirements on those designated entities to comply with the above principles.
Under the Bill, regulated entities will effectively only be required to reimburse a consumer who has been the victim of a scam if that regulated entity hasn’t complied with their obligations under the Bill. This is likely to be a high bar for many consumers, as we expect that regulated entities such as banks will implement stringent systems and controls (such as pop-ups and confirmation) intended to discharge this risk to the fullest extent possible (even though scams may still occur).
Where a regulated entity fails to comply with these obligations, the Bill will empower to the Australian Competition and Consumer Commission to impose penalties in a two tiered approach, with penalties of $10 million for breaching of the "report" and "governance" principles, as well as specific sector requirements, or up to $50 million where a designated business contravenes the obligations set out in the "preventing", "detecting", "disrupting" and "responding" principles.
The explanatory materials also outline that the Bill will be administered by a variety of regulators in addition to the ACCC, including the Australian Securities and Investment Commission (ASIC) and the Australian Communications and Media Authority (ACMA). Accordingly, regulated entities which contravene the obligations set out in the Bill may also be subject to additional regulatory scrutiny or enforcement.
Entities which are in designated sectors should closely review the Bill and the associated explanatory materials to determine how their policies, procedures and complaints handling process may need to updated.
We expect that all regulated entities will need to:
The Bill is bound to draw comparisons to the United Kingdom's forthcoming mandatory reimbursement requirement for authorised push payment (APP) fraud administered by the Payment Services Regulator (PSR) which will apply from 7 October 2024.
This reimbursement regime is much stricter that the proposed model under the Bill, and essentially requires UK payment service providers (PSPs) using the "Faster Payments" system to reimburse all victims of APP fraud up to a maximum of £85,000 (as a 50/50 split between the sending and receiving PSP). Sending PSPs may charge an excess up to a maximum of £100 per claim.
The maximum reimbursement was originally £415,000, but this was reduced after industry lobbying.
PSPs do not have to reimburse consumer where, as a result of "gross negligence" (which requires a high standard of "carelessness"), they fail to meet one of the four requirements of the "consumer standard of caution" which include requirements to:
This is a much more stringent regime that strongly incentivises PSPs to implement robust systems and controls to prevent and reverse payments made as a result of APP fraud.
In contrast, the principles based approach set out under the Bill is more business friendly and is likely to result in far fewer reimbursements for impacted consumers.
Given scam prevention is a cornerstone of the government's current policy agenda, we expect that, subject to consultation, the Bill will likely be passed relatively soon, and in a substantially similar form.
Sector-specific codes have yet to be released, but this will provide additional clarity around the scope of the obligations for each type of entity under the Bill which may require additional rounds of consultation and refinement in the near future.
Authors: Hong-Viet Nguyen, Partner; Greg Patton, Senior Associate and Conor Tarpey, Lawyer.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Sign-up to select your areas of interest
Sign-up